Results 1 
6 of
6
PublicKey Cryptosystems Resilient to Key Leakage
"... Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidec ..."
Abstract

Cited by 89 (6 self)
 Add to MetaCart
(Show Context)
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidechannel attacks, especially the “cold boot attacks ” of Halderman et al. (USENIX Security ’08), Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of sidechannel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of publickey encryption, Akavia et al. showed that Regev’s latticebased scheme (STOC ’05) is resilient to any leakage of
Solving linear equations modulo divisors: On factoring given any bits
 In Advances in Cryptology  Asiacrypt 2008, volume 5350 of LNCS
, 2008
"... Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln(2) ≈ 70 % of the bits are sufficient for any n in order to find the factorization. The algorithm’s running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for n = O(log logN) blocks.
Reconstructing rsa private keys from random key bits
 In CRYPTO
, 2009
"... We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algori ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
(Show Context)
We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments. 1
Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits
"... We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algori ..."
Abstract
 Add to MetaCart
(Show Context)
We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments. 1
DISCRETE LOGARITHMS, DIFFIEHELLMAN, AND REDUCTIONS
"... Abstract. We consider the OnePrimeNotp and AllPrimesButp variants of the Discrete Logarithm (DL) problem in a group of prime order p. We give reductions to the DiffieHellman (DH) problem that do not depend on any unproved conjectures about smooth or prime numbers in short intervals. We show t ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We consider the OnePrimeNotp and AllPrimesButp variants of the Discrete Logarithm (DL) problem in a group of prime order p. We give reductions to the DiffieHellman (DH) problem that do not depend on any unproved conjectures about smooth or prime numbers in short intervals. We show that the OnePrimeNotpDL problem reduces to DH in time roughly Lp(1/2); the AllPrimesButpDL problem reduces to DH in time roughly Lp(2/5); and the AllPrimesButpDL problem reduces to the DH plus Integer Factorization problems in polynomial time. We also prove that under the Riemann Hypothesis, with ε log p queries to a yesorno oracle one can reduce DL to DH in time roughly Lp(1/2); and under a conjecture about smooth numbers, with εlog p queries to a yesorno oracle one can reduce DL to DH in polynomial time. 1.
Exposing an RSA Private Key Given a Small Fraction of its Bits
"... Abstract We show that for low public exponent rsa, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N 1=4; N 1=2], half the bits of ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract We show that for low public exponent rsa, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N 1=4; N 1=2], half the bits of the private key suffice to reconstruct the entire private key. Our results point out the danger of partial key exposure in the rsa public key system.